ATO “Right to Obtain a Refund” Malware Emails

Outline:
Emails purporting to be from the Australian Taxation Office (ATO) claim that you have the right to obtain a refund or reimbursement and should therefore click a link to download more information.

Brief Analysis:
The emails are not from the ATO and the promised refund does not exist. It is a criminal ruse designed to trick you into visiting a fraudulent website and downloading malware.

Example:
IMPORTANT NOTICE Australian Taxation Office – 20/10/2016

After the last estimation of your fiscal actions has been found that you have the right to obtain a refund of 2335.85 AUD.Please follow the link below to download the deal information: [link removed]

After the last estimation of your financial activity has been found that you have the right to obtain a reimbursement of 7272.48 AUD.Please follow the link below to download the operation information: [link removed]

James Wesley,
Tax Refund Department
Australian Taxation Office

Detailed Analysis:
According to a series of emails that claim to be from the Australian Taxation Office (ATO), you have the right to obtain a refund or reimbursement for several thousand dollars. The emails include a link that supposedly downloads a document with more information about your unexpected refund.

Clicking the link opens a fake ATO “download center” webpage (see screenshot below) that prompts you to download what it claims is a PDF containing a declaration form.

However, the supposed PDF is in fact a .zip file that harbours a malicious .scr file. If you click the .scr file, it can install malware on your computer.

Details, such as the amount of the supposed refund and the name of the supposed ATO staff member listed in the signature may vary in different versions of the emails. Some versions claim to be from the “Australian Taxation Bureau” rather than the ATO.

The “tax refund” ruse has been used repeatedly in both phishing and malware attacks. The ATO will never send you an unsolicited email that claims that you must click a link or opened an attached file to process a refund.

If you receive one of these emails, do not click any links or open any attachments that it contains.

A screenshot of the bogus website:

Last updated: October 21, 2016
First published: October 21, 2016
By Brett M. ChristensenAbout Hoax-Slayer